From e87404c3279db6f751a15404328ebaf2c9a6aa53 Mon Sep 17 00:00:00 2001 From: Charlton Austin Date: Wed, 22 Feb 2017 14:35:11 -0500 Subject: [PATCH] Adding in what metadata_root_name to JWT --- endpoints/v2/test/test_v2auth.py | 18 ++++++++++++++++++ endpoints/v2/v2auth.py | 22 ++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 endpoints/v2/test/test_v2auth.py diff --git a/endpoints/v2/test/test_v2auth.py b/endpoints/v2/test/test_v2auth.py new file mode 100644 index 000000000..0989c6c4a --- /dev/null +++ b/endpoints/v2/test/test_v2auth.py @@ -0,0 +1,18 @@ +import pytest + +from endpoints.v2.v2auth import attach_metadata_root_name, CLAIM_APOSTILLE_ROOT + + +@pytest.mark.parametrize('context,access,expected', [ + ({}, None, {}), + ({}, [], {}), + ({}, [{}], {}), + ({}, [{"actions": None}], {}), + ({}, [{"actions": []}], {}), + ({}, [{"actions": ["pull"]}], {CLAIM_APOSTILLE_ROOT: 'quay'}), + ({}, [{"actions": ["push"]}], {CLAIM_APOSTILLE_ROOT: 'signer'}), + ({}, [{"actions": ["pull", "push"]}], {CLAIM_APOSTILLE_ROOT: 'signer'}), +]) +def test_attach_metadata_root_name(context, access, expected): + actual = attach_metadata_root_name(context, access) + assert actual == expected, "should be %s, but was %s" % (expected, actual) diff --git a/endpoints/v2/v2auth.py b/endpoints/v2/v2auth.py index 45f248961..3469044c4 100644 --- a/endpoints/v2/v2auth.py +++ b/endpoints/v2/v2auth.py @@ -16,6 +16,7 @@ from util.cache import no_cache from util.names import parse_namespace_repository, REPOSITORY_NAME_REGEX from util.security.registry_jwt import generate_bearer_token, build_context_and_subject +CLAIM_APOSTILLE_ROOT = 'com.apostille.root' logger = logging.getLogger(__name__) @@ -158,6 +159,27 @@ def generate_registry_jwt(): # Build the signed JWT. context, subject = build_context_and_subject(user, token, oauthtoken) + context = attach_metadata_root_name(context, access) token = generate_bearer_token(audience_param, subject, context, access, TOKEN_VALIDITY_LIFETIME_S, instance_keys) return jsonify({'token': token}) + + +def attach_metadata_root_name(context, access): + """ + Adds in metadata_root_name into JWT context when appropriate + """ + try: + actions = access[0]["actions"] + except(TypeError, IndexError, KeyError): + return context + + if not actions: + return context + + if "push" in actions: + context[CLAIM_APOSTILLE_ROOT] = 'signer' + else: + context[CLAIM_APOSTILLE_ROOT] = 'quay' + + return context